use of org.mozilla.jss.netscape.security.x509.X500Name in project jss by dogtagpki.
the class EnumerationZeroTest method buildCrl.
/**
* Build a CRL using JSS
* @param useZero whether or not to try creating a CRLEntry with the reason set to "unspecified"
* @return an X509CRL object
* @throws Exception if anything goes wrong
*/
public static X509CRL buildCrl(boolean useZero) throws Exception {
KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
generator.initialize(2048);
KeyPair kp = generator.generateKeyPair();
List<RevokedCertificate> revokedCerts = new ArrayList<>();
for (int i = 0; i <= 10; i++) {
// 7 is an unused value in the enumeration
if (i == 7 || (i == 0 && !useZero)) {
continue;
}
CRLReasonExtension reasonExt = new CRLReasonExtension(RevocationReason.fromInt(i));
outputExtension(reasonExt);
CRLExtensions entryExtensions = new CRLExtensions();
entryExtensions.add(reasonExt);
revokedCerts.add(new RevokedCertImpl(BigInteger.valueOf(i), new Date(), entryExtensions));
}
CRLExtensions crlExtensions = new CRLExtensions();
crlExtensions.add(new CRLNumberExtension(BigInteger.ONE));
crlExtensions.add(buildAuthorityKeyIdentifier((RSAPublicKey) kp.getPublic()));
X500Name issuer = new X500Name("CN=Test");
Date now = new Date();
Calendar calendar = Calendar.getInstance();
calendar.add(Calendar.DAY_OF_MONTH, 365);
Date until = calendar.getTime();
X509CRLImpl crlImpl = new X509CRLImpl(issuer, now, until, revokedCerts.toArray(new RevokedCertificate[] {}), crlExtensions);
crlImpl.sign(kp.getPrivate(), "SHA256withRSA");
CertificateFactory cf = CertificateFactory.getInstance("X.509");
byte[] data = crlImpl.getEncoded();
return (X509CRL) cf.generateCRL(new ByteArrayInputStream(data));
}
use of org.mozilla.jss.netscape.security.x509.X500Name in project jdchain-core by blockchain-jd-com.
the class CATestPlus method run.
@Override
public void run() {
File caHome = new File(caCli.getCaHome());
if (!caHome.exists()) {
caHome.mkdirs();
}
try {
if (StringUtils.isEmpty(password)) {
password = caCli.scanValue("password for all private keys");
}
Security.removeProvider("SunEC");
PrivKey issuerPrivKey = null;
PrivateKey issuerPrivateKey = null;
X509Certificate issuerCrt = null;
File trustStoreFile = new File(caCli.getTlsHome() + File.separator + "trust.jks");
for (int i = 0; i < nodes + users + gws + 1; i++) {
String name;
CertificateRole ou;
if (i == 0) {
name = "root";
ou = CertificateRole.ROOT;
} else if (i <= nodes) {
name = "peer" + (i - 1);
ou = CertificateRole.PEER;
} else if (i <= nodes + gws) {
name = "gw" + (i - nodes - 1);
ou = CertificateRole.GW;
} else {
name = "user" + (i - nodes - gws - 1);
ou = CertificateRole.USER;
}
algorithm = algorithm.toUpperCase();
AsymmetricKeypair keypair = Crypto.getSignatureFunction(algorithm).generateKeypair();
String pubkey = KeyGenUtils.encodePubKey(keypair.getPubKey());
String base58pwd = KeyGenUtils.encodePasswordAsBase58(password);
String privkey = KeyGenUtils.encodePrivKey(keypair.getPrivKey(), base58pwd);
FileUtils.writeText(pubkey, new File(caCli.getKeysHome() + File.separator + name + ".pub"));
FileUtils.writeText(privkey, new File(caCli.getKeysHome() + File.separator + name + ".priv"));
FileUtils.writeText(base58pwd, new File(caCli.getKeysHome() + File.separator + name + ".pwd"));
if (i == 0) {
issuerPrivKey = keypair.getPrivKey();
issuerPrivateKey = CertificateUtils.retrievePrivateKey(issuerPrivKey);
}
X500Name subject = caCli.buildRDN(organization, ou, country, province, locality, name, email);
X509Certificate certificate = caCli.genCert(CertificateUsage.SIGN, algorithm, name, subject, ou, CertificateUtils.retrievePublicKey(keypair.getPubKey()), issuerPrivateKey, issuerCrt);
if (i == 0) {
FileUtils.writeText(CertificateUtils.toPEMString(certificate), new File(caCli.getCaHome() + File.separator + name + ".crt"));
issuerCrt = certificate;
caCli.trustStore(trustStoreFile, name, password, certificate);
} else {
FileUtils.writeText(CertificateUtils.toPEMString(certificate), new File(caCli.getSignHome() + File.separator + name + ".crt"));
String ip = "127.0.0.1";
switch(ou) {
case PEER:
if (nodeIPs.length >= i) {
ip = nodeIPs[i - 1];
}
break;
case GW:
if (gwIPs.length >= i - nodes) {
ip = gwIPs[i - nodes - 1];
}
break;
case USER:
if (gwIPs.length >= i - nodes - gws) {
ip = userIPs[i - nodes - gws - 1];
}
break;
default:
break;
}
PrivateKey privateKey = CertificateUtils.retrievePrivateKey(keypair.getPrivKey(), keypair.getPubKey());
FileUtils.writeText(CertificateUtils.toPEMString(algorithm, privateKey), new File(caCli.getKeysHome() + File.separator + name + ".key"));
if (!algorithm.equalsIgnoreCase("SM2")) {
subject = caCli.buildRDN(organization, ou, country, province, locality, ip, email);
X509Certificate tlsCertificate = caCli.genCert(CertificateUsage.TLS, algorithm, ip, subject, ou, CertificateUtils.retrievePublicKey(keypair.getPubKey()), issuerPrivateKey, issuerCrt);
FileUtils.writeText(CertificateUtils.toPEMString(tlsCertificate), new File(caCli.getTlsHome() + File.separator + name + ".crt"));
caCli.keyStore(privateKey, name, password, tlsCertificate, issuerCrt);
caCli.trustStore(trustStoreFile, name, password, tlsCertificate);
} else {
AsymmetricKeypair signKeypair = Crypto.getSignatureFunction(algorithm).generateKeypair();
subject = caCli.buildRDN(organization, ou, country, province, locality, ip, email);
X509Certificate signCertificate = caCli.genCert(CertificateUsage.TLS_SIGN, algorithm, ip, subject, ou, CertificateUtils.retrievePublicKey(signKeypair.getPubKey()), issuerPrivateKey, issuerCrt);
FileUtils.writeText(CertificateUtils.toPEMString(signCertificate), new File(caCli.getTlsHome() + File.separator + name + ".sign.crt"));
PrivateKey signPrivateKey = CertificateUtils.retrievePrivateKey(signKeypair.getPrivKey(), signKeypair.getPubKey());
FileUtils.writeText(CertificateUtils.toPEMString(signPrivateKey), new File(caCli.getKeysHome() + File.separator + name + ".sign.key"));
caCli.keyStore(signPrivateKey, name + ".sign", password, signCertificate, issuerCrt);
AsymmetricKeypair encKeypair = Crypto.getSignatureFunction(algorithm).generateKeypair();
X509Certificate encCertificate = caCli.genCert(CertificateUsage.TLS_ENC, algorithm, ip, subject, ou, CertificateUtils.retrievePublicKey(encKeypair.getPubKey()), issuerPrivateKey, issuerCrt);
FileUtils.writeText(CertificateUtils.toPEMString(encCertificate), new File(caCli.getTlsHome() + File.separator + name + ".enc.crt"));
PrivateKey encPrivateKey = CertificateUtils.retrievePrivateKey(encKeypair.getPrivKey(), encKeypair.getPubKey());
FileUtils.writeText(CertificateUtils.toPEMString(encPrivateKey), new File(caCli.getKeysHome() + File.separator + name + ".enc.key"));
caCli.keyStore(encPrivateKey, name + ".enc", password, encCertificate, issuerCrt);
caCli.doubleKeysStore(name, signPrivateKey, encPrivateKey, password, signCertificate, encCertificate, issuerCrt);
caCli.trustStore(trustStoreFile, name + ".sign", password, signCertificate);
caCli.trustStore(trustStoreFile, name + ".enc", password, encCertificate);
}
}
}
System.out.println("create test certificates in [" + caCli.getCaHome() + "] success");
} catch (Exception e) {
e.printStackTrace();
}
}
use of org.mozilla.jss.netscape.security.x509.X500Name in project webauthn4j by webauthn4j.
the class TestAttestationUtil method createV1DummyCertificate.
public static X509Certificate createV1DummyCertificate() {
try {
X509v1CertificateBuilder certificateBuilder = new X509v1CertificateBuilder(new X500Name("O=SharpLab., C=US"), BigInteger.valueOf(1), Date.from(Instant.parse("2000-01-01T00:00:00Z")), Date.from(Instant.parse("2999-12-31T23:59:59Z")), new X500Name("O=SharpLab., C=US"), new SubjectPublicKeyInfo(new DefaultSignatureAlgorithmIdentifierFinder().find("SHA256WITHRSA"), new byte[0]));
ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256withRSA").build(RSAUtil.createKeyPair().getPrivate());
X509CertificateHolder certificateHolder = certificateBuilder.build(contentSigner);
try {
return new JcaX509CertificateConverter().getCertificate(certificateHolder);
} catch (CertificateException e) {
throw new com.webauthn4j.validator.exception.CertificateException(e);
}
} catch (OperatorCreationException e) {
throw new UnexpectedCheckedException(e);
}
}
use of org.mozilla.jss.netscape.security.x509.X500Name in project webauthn4j by webauthn4j.
the class PackedAttestationStatementValidatorTest method generateCertPath.
private static AttestationCertificatePath generateCertPath(KeyPair pair, String signAlg) {
try {
Provider bcProvider = new BouncyCastleProvider();
// Security.addProvider(bcProvider);
long now = System.currentTimeMillis();
Date from = new Date(now);
Date to = new Date(from.getTime() + TimeUnit.DAYS.toMillis(1));
X500Name dnName = new X500Name("C=ORG, O=Dummy Org, OU=Authenticator Attestation, CN=Dummy");
BigInteger certSerialNumber = BigInteger.ZERO;
Calendar calendar = Calendar.getInstance();
calendar.setTime(from);
calendar.add(Calendar.YEAR, 1);
ContentSigner contentSigner = new JcaContentSignerBuilder(signAlg).build(pair.getPrivate());
JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(dnName, certSerialNumber, from, to, dnName, pair.getPublic());
BasicConstraints basicConstraints = new BasicConstraints(false);
certBuilder.addExtension(new ASN1ObjectIdentifier("2.5.29.19"), true, basicConstraints);
X509Certificate certificate = new JcaX509CertificateConverter().setProvider(bcProvider).getCertificate(certBuilder.build(contentSigner));
return new AttestationCertificatePath(Collections.singletonList(certificate));
} catch (OperatorCreationException | CertificateException | CertIOException e) {
throw new UnexpectedCheckedException(e);
}
}
use of org.mozilla.jss.netscape.security.x509.X500Name in project snowblossom by snowblossomcoin.
the class CertGen method generateSelfSignedCert.
/**
* @param key_pair Key pair to use to sign the cert inner signed message, the node key
* @param tls_wkp The temporary key to use just for this cert and TLS sessions
* @param spec Address for 'key_pair'
*/
public static X509Certificate generateSelfSignedCert(WalletKeyPair key_pair, WalletKeyPair tls_wkp, AddressSpec spec) throws Exception {
AddressSpecHash address_hash = AddressUtil.getHashForSpec(spec);
String address = AddressUtil.getAddressString(Globals.NODE_ADDRESS_STRING, address_hash);
byte[] encoded_pub = tls_wkp.getPublicKey().toByteArray();
SubjectPublicKeyInfo subjectPublicKeyInfo = new SubjectPublicKeyInfo(ASN1Sequence.getInstance(encoded_pub));
String dn = String.format("CN=%s, O=Snowblossom", address);
X500Name issuer = new X500Name(dn);
BigInteger serial = BigInteger.valueOf(System.currentTimeMillis());
Date notBefore = new Date(System.currentTimeMillis());
Date notAfter = new Date(System.currentTimeMillis() + 86400000L * 365L * 10L);
X500Name subject = issuer;
X509v3CertificateBuilder cert_builder = new X509v3CertificateBuilder(issuer, serial, notBefore, notAfter, subject, subjectPublicKeyInfo);
// System.out.println(org.bouncycastle.asn1.x509.Extension.subjectAlternativeName);
ASN1ObjectIdentifier snow_claim_oid = new ASN1ObjectIdentifier("2.5.29.134");
// System.out.println(spec);
SignedMessagePayload payload = SignedMessagePayload.newBuilder().setTlsPublicKey(tls_wkp.getPublicKey()).build();
SignedMessage sm = MsgSigUtil.signMessage(spec, key_pair, payload);
byte[] sm_data = sm.toByteString().toByteArray();
cert_builder.addExtension(snow_claim_oid, true, sm_data);
String algorithm = "SHA256withRSA";
AsymmetricKeyParameter privateKeyAsymKeyParam = PrivateKeyFactory.createKey(tls_wkp.getPrivateKey().toByteArray());
AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find(algorithm);
AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
// ContentSigner sigGen = new BcECContentSignerBuilder(sigAlgId, digAlgId).build(privateKeyAsymKeyParam);
ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(privateKeyAsymKeyParam);
X509CertificateHolder certificateHolder = cert_builder.build(sigGen);
X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(certificateHolder);
return cert;
}
Aggregations